ci: dedupe stale same-name checks in policy-gate

[ootakazuhiko]

Summary

• dedupe stale same-name status checks in scripts/ci/policy-gate.mjs before evaluating required checks and gate checks
• extend the generated policy-input-v1 contract with check timing metadata needed for the same latest-run semantics
• keep the OPA policy (policy/risk-policy.rego) in parity with the JS implementation and add regression coverage

Root cause

policy-gate evaluated every same-name entry in statusCheckRollup. When an older CANCELLED run and a newer SUCCESS run for the same check name coexisted on one PR head, policy-gate could fail with a false negative such as required check failed: verify-lite.

What changed

• scripts/ci/policy-gate.mjs
  • preserve workflowName, startedAt, and completedAt
  • collapse duplicate entries by type::name using completedAt -> startedAt -> later array entry
  • emit the same timing metadata into policy-input-v1
• policy/risk-policy.rego
  • mirror the same latest-run dedupe for OPA shadow evaluation parity
• schema/policy-input-v1.schema.json
  • allow the added check timing metadata
• fixtures/policy/sample.policy-input-v1.json
  • refresh the sample contract fixture
• tests/unit/ci/policy-gate.test.ts
  • add regression coverage for required-check dedupe, gate-check dedupe, startedAt fallback, pending latest run, and timestamp-less StatusContext fallback

Validation

• pnpm -s exec vitest run tests/unit/ci/policy-gate.test.ts tests/unit/ci/risk-policy-gate-check-alignment.test.ts tests/unit/ci/policy-shadow-compare.test.ts
• node scripts/ci/validate-json.mjs
• git diff --check
• local OPA parity check with /tmp/opa version 1.15.2
  • synthetic required-check-dedupe case: JS vs OPA snapshot match
  • synthetic gate-check-dedupe case: JS vs OPA snapshot match

Acceptance

• stale same-name cancelled runs no longer poison a newer green required check or gate check
• JS and OPA policy engines preserve the same latest-run semantics for policy-shadow-compare
• the policy-input-v1 contract remains schema-valid with the additional metadata

Rollback

• revert this PR to restore the previous any-failure-wins behavior and the older policy-input-v1 shape

Closes #3241

[github-actions]

❓ Code Generation Drift Detection

Status:
Regeneration needed: No

---

Automated by AE-Framework Codegen

[github-actions]

CI Status Snapshot (2026-04-23T14:13:21.664Z)

• ci: dedupe stale same-name checks in policy-gate #3242 ci: dedupe stale same-name checks in policy-gate | ✅43 ❌1 ⏳0 ⏭️45 | review:NONE | mergeable:MERGEABLE
  • failed: dod

[github-actions]

Generate Artifacts Preview

Generated at: 2026-04-18T01:32:57.510Z

• tests/api/generated: clean
• artifacts/codex: clean
• artifacts/spec: clean

[github-actions]

Coverage: n/a | Alerts: none | Formal: n/a | BDD: 3 criteria (Reserve inventory without going negative or double-booking) | LTL sugg: 3 | GWT: 0 | Adapters ok/warn/err=0/0/0 | | Replay: n/a | Trace:

Harness Health

• severity: warn
• source: workflow=PR Maintenance, runId=24593868175, sha=fb89c1ee1b46aa84fb0d5e443e7f71e6e5e16ff7

Gate	Status	Checks
artifactsSchema	skip	0
testingHarness	warn	1
contextPack	skip	0
runtimeConformance	skip	0
ciExtended	skip	0
uiE2E	skip	0

Change Package

• risk=risk:high (inferred=risk:low) | files=0 | areas=unknown | evidence=1/4 present/missing
• required labels: (none) | missing: (none)
• reproducibility: pnpm run verify:lite

Change Package Validation

• result: WARN
• strict: false
• schema: PASS
• required evidence: verifyLiteSummary, policyGateSummary, harnessHealth
• missing required evidence: verifyLiteSummary, policyGateSummary
• evidence present/missing(actual): 1/4
• warnings:
  • missing required evidence: verifyLiteSummary, policyGateSummary

Plan Artifact

• goal: Define plan-artifact/v1 and require it for high-risk PR pre-review.
• scope: Add schema, generator, validator, policy-gate enforcement, PR summary integration, and operator documentation.
• risk: risk:high
• approvals required: 1
• source: feat(ci): add high-risk plan artifact contract #2544 (main <- feat/2535-plan-artifact)

Assumptions

• A1: High-risk PRs can commit plan artifacts under artifacts/plan before review.
• A2: policy-gate checkout contains committed plan artifacts from the PR branch.

Files expected to change

• schema/plan-artifact.schema.json
• scripts/plan-artifact/generate.mjs
• scripts/plan-artifact/validate.mjs
• scripts/ci/policy-gate.mjs
• .github/workflows/policy-gate.yml
• .github/workflows/pr-ci-status-comment.yml
• docs/ci/plan-artifact.md

Verification plan

• V1: Contract and unit tests
  • command: pnpm exec vitest run tests/contracts/plan-artifact-contract.test.ts tests/unit/ci/plan-artifact-generate.test.ts tests/unit/ci/plan-artifact-validate.test.ts tests/unit/ci/risk-policy.test.ts tests/unit/ci/policy-gate.test.ts
  • expected evidence: tests/contracts/plan-artifact-contract.test.ts, tests/unit/ci/policy-gate.test.ts
• V2: Schema and docs validation
  • command: node scripts/ci/validate-json.mjs && pnpm -s run check:doc-consistency && pnpm -s run check:ci-doc-index-consistency
  • expected evidence: fixtures/plan/sample.plan-artifact.json, docs/ci/plan-artifact.md

Rollback plan

Revert the plan-artifact schema, scripts, policy-gate integration, and PR summary wiring.

Required human input

• Confirm the high-risk review scope before implementation proceeds.
• Approve the required verification and rollback plan for the PR.

Notes

• Change Package remains the after-change evidence artifact; this contract only covers before-change review.

Plan Artifact Validation

• result: PASS

• input: /home/runner/work/ae-framework/ae-framework/artifacts/plan/plan-artifact.json

• schema: /home/runner/work/ae-framework/ae-framework/schema/plan-artifact.schema.json

• policy: /home/runner/work/ae-framework/ae-framework/policy/risk-policy.yml

• no issues

[github-actions]

Progress Summary

• Missing: metrics, quality, traceability, phaseState

[github-actions]

CodeX Artifacts Summary

• • Contract/E2E templates: 1 files (dir: tests/api/generated)
• • Tests: PBT files=123, BDD features=0
• • Formal specs: TLA=1, Alloy=1

[github-actions]

AE-Spec Validation Report

Status: ✅ Passed
Timestamp: 2026-04-18 01:33:38 UTC
Branch: refs/pull/3242/merge
Commit: fb89c1e

Validation Results

• ✅ Compilation: AE-Spec → AE-IR successful
• ✅ Linting: No critical issues found
• ✅ Structure: All required fields present

AE-IR Summary

• Version: 1.0.0
• Entities: 1
• API Endpoints: 2
• Use Cases: 1
• Invariants: 0

BDD Step Lint (non-blocking)

Usecases: 1

Issues: 1

• Register User: no-validation — Usecase has no validation step

[github-actions]

KvOnce Trace Validation

• OTLP: ✅ Success (Issues: 0)
• NDJSON: ✅ Success (Issues: 0)

[Copilot]

Pull request overview

This PR updates the CI policy-gate evaluation to ignore stale same-name status checks by collapsing check entries to the latest run (and extends the policy-input.v1 contract to carry the timing metadata needed to support that semantic), while keeping OPA shadow evaluation aligned and adding regression tests.

Changes:

• Deduplicate statusCheckRollup entries by type::name using completedAt/startedAt (with later-entry fallback) before evaluating required checks and gate checks.
• Extend policy-input.v1 schema + sample fixture to include workflowName, startedAt, and completedAt for CheckRun.
• Add unit regression coverage for required-check and gate-check dedupe semantics (including pending/latest logic and timestamp-less fallback).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
tests/unit/ci/policy-gate.test.ts	Adds regression tests covering same-name dedupe behavior across required and gate checks.
scripts/ci/policy-gate.mjs	Adds timing metadata to check entries, collapses duplicates prior to evaluation, and emits timing metadata into policy-input.v1.
schema/policy-input-v1.schema.json	Extends the contract schema to allow check timing metadata.
policy/risk-policy.rego	Mirrors “latest-run” dedupe logic for OPA parity.
fixtures/policy/sample.policy-input-v1.json	Updates the sample contract fixture to include the new metadata fields.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e58e001f51

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[github-actions]

Quality Gates

• Status: FAIL | env=testing | score=0 | gates=2/3 | blockers=1
• Failed: security (new: security)
• Report: reports/quality-gates/quality-report-testing-latest.json

[github-actions]

❓ Code Generation Drift Detection

Status:
Regeneration needed: No

---

Automated by AE-Framework Codegen

[github-actions]

CI Auto Rerun

Workflow Verify Lite failed on attempt 1.
Triggered a one-time rerun of failed jobs for run 24593809521.
If it fails again, please investigate the root cause.

[github-actions]

CodeX Artifacts Summary

• • Contract/E2E templates: 1 files (dir: tests/api/generated)
• • Tests: PBT files=123, BDD features=0
• • Formal specs: TLA=1, Alloy=1

[ootakazuhiko]

レビュー本文とインラインコメントを全件確認しました。

• review 本文 2 件は概要説明のみで、個別の追加対応要求はありませんでした。
• actionable な inline thread 3 件は commit 97e3366c で対応しました。
  • JS 側: timestamp が無い最新 rerun でも後勝ちで pending 判定されるように修正
  • Rego 側: RFC3339 を time.parse_rfc3339_ns で数値比較し、timestamp 欠落または同値時は後勝ちに統一
  • 回帰テスト: timestamp-less rerun の required check case を追加

ローカル検証:

• pnpm -s exec vitest run tests/unit/ci/policy-gate.test.ts tests/unit/ci/risk-policy-gate-check-alignment.test.ts tests/unit/ci/policy-shadow-compare.test.ts
• node scripts/ci/validate-json.mjs
• git diff --check

個別 thread には返信のうえ resolve します。

[github-actions]

❓ Code Generation Drift Detection

Status:
Regeneration needed: No

---

Automated by AE-Framework Codegen

[github-actions]

CodeX Artifacts Summary

• • Contract/E2E templates: 1 files (dir: tests/api/generated)
• • Tests: PBT files=123, BDD features=0
• • Formal specs: TLA=1, Alloy=1

[ootakazuhiko]

追加の CI 状況を確認しました。

• required checks は最新 head 6b9c56d5 で全て pass しています。
  • gate: pass
  • policy-gate: pass
  • verify-lite: pass
• 一方で dod は latest run でも fail していますが、これは non-required の composite quality gate です。
• 最新ログ上の失敗理由は Security Vulnerabilities の閾値超過でした。
  • critical: 3 > 2
  • high: 12 > 8
  • medium: 22 > 15

観測事実として、この PR の差分は policy-gate / Rego / schema fixture / test / 派生 doc sync に限られており、package manifest / lockfile / vulnerability gate 設定の変更は含みません。
そのため、dod の根本是正はこの PR では扱わず、今回のスコープでは required CI と review completeness の回復までを完了とします。